Informática 39 (2015) 375-382 375
Privacy-preserving Cloud-based Personal Health Record System Using Attribute-based Encryption and Anonymous Multi-Receiver Identity-based Encryption
Changji Wang
Cisco School of Informatics, Guangdong University of Foreign Studies, Guangzhou 510006, China E-mail: wchangji@gmail.com
Xilei Xu, Dongyuan Shi and Jian Fang
School of Information Science and Technology, Sun Yat-sen University, Guangzhou 510275, China
Keywords: personal health record, cloud computing, ciphertext-policy attribute-based encryption, anonymous multi-receiver identity-based encryption
Received: July 16, 2015
As an emerging patient-centric model of health information exchange, cloud-based personal health record (CB-PHR) system holds great promise for empowering patients and ensuring more effective delivery of health care. In this paper, we design a novel CB-PHR system. It allows PHR owners to securely store their health data on the semi-trusted cloud service providers, and to selectively share their health data with a wide range of PHR users. To reduce the key management complexity, we divide PHR users into two security domains named public domain and personal domain. PHR owners encrypt their health data for the public domain using ciphertext-policy attribute-based encryption scheme, while encrypt their health data for the personal domain using anonymous multi-receiver identity-based encryption scheme. Only authorized users whose credentials satisfy the specified ciphertext-policy or whose identities belong to dedicated identities can decrypt the encrypted health data. Extensive analytical and experimental results are presented which show that our CB-PHR system is secure, privacy-protected, scalable and efficient.
Povzetek: Predstavljen je sistem CB-PHR, tj. sistem za oblacne zdravstvene kartone.
1 Introduction
In recent years, personal health record system has emerged as a patient-centric model of health information exchange. It enables the patient to create and control their health data in a centralized place through web-based application from anywhere and at any time, which has made the storage, retrieval, and sharing of the health data more efficient. Due to the high cost of building and maintaining specialized data centers, as well as vigorous development of cloud computing in recent years, many PHR services are outsourced to third-party cloud service providers (CSPs), for example, Microsoft Health Vault, Google Health, Indivo and MyPHR.
Although cloud-assisted PHR services could offer a great opportunity to improve the quality of health care services and potentially reduce health care costs, there have been wide privacy concerns as personal health information could be exposed to those semi-trusted CSPs and to unauthorized parties. Health data can reveal very sensitive information, including fertility, surgical procedures, emotional and psychological disorders and diseases, etc. There exist health care regulations such as HIPAA which is recently amended to incorporate business associates, but CSPs are
usually not covered entities. Moreover, due to the high value of health data, CSPs are often the targets of various malicious behaviors which may lead to exposure of health data. In addition, CSPs have significant commercial interest in collecting and sharing patients' health data with either pharmacy companies, research institutions or insurance companies.
To keep sensitive health data confidential against those semi-trusted CSPs and unauthorized parties in a CB-PHR system, a natural way is to store only the encrypted data in the cloud. While it is important to allow patients to selectively share their health data with a wide range of users, including staffs from health care providers and medical research institutions, and family members or friends, thus it is essential to provide fine-grained data access control mechanisms that work with semi-trusted CSPs.
1.1 Related work
Anonymous Multi-Receiver Identity-Based Encryption: Boneh and Franklin [1] proposed the first practical and secure identity-based encryption (IBE) scheme from bilinear pairings. Since then, IBE has attracted a lot of attention and a large number of IBE schemes and related
376 Informatica 39 (2015) 375-382
C.J.Wang et al.
systems have been proposed.
Considering a situation where a sender would like to encrypt a message for t receivers, the sender must encrypt the message t time using conventional IBE schemes. To improve the performance, Baek et al. [2] first introduced the notion of multi-receiver IBE scheme, and proposed an efficient provably secure multi-receiver IBE scheme from bilinear pairings. Next, Boyen and Waters [3] proposed an anonymous IBE scheme to guarantee receiver's privacy, where the ciphertext does not leak the identity of the recipient. Later, Fan et al. [4] introduced the concept of anonymous multi-receiver IBE (AMRIBE) scheme, and proposed an AMRIBE scheme from bilinear parings. Fan et al. claimed that their AMRIBE scheme makes it impossible for an attacker or any other receiver to derive the identity of a message receiver such that the privacy of every receiver can be guaranteed. Unfortunately, Chien [5] showed that in Fan et al.'s AMRIBE scheme any selected receiver may extract the identities of the other selected receivers, and presented an improved AMRIBE scheme. However, only heuristic arguments for security proofs are presented. Recently, Tseng et al. [6] proposed an efficient AMRIBE scheme with complete receiver anonymity and proved that the scheme is semantically secure against adap-tively chosen-ciphertext attacks.
Attribute-Based Encryption: In some scenarios, the recipient of the ciphertext is not yet known at the time of the encryption or there are more than one recipient who should be able to decrypt the ciphertext. To preserve data confidentiality and enforce fine-grained access control simultaneously, Sahai and Waters [7] first introduced the concept of attribute-based encryption (ABE), which is envisioned as an important tool for addressing the problem of secure and fine-grained data sharing and access control.
ABE has attracted lots of attention from both academia and industry in recent years, various ABE schemes have been proposed, such as [8-13]. There are two main types of ABE schemes in the literatures: Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE).
In a KP-ABE system, ciphertexts are labeled by the sender with a set of descriptive attributes, and users' private keys are issued by the trusted attribute authority are associated with access structures that specify which type of ciphertexts the key can decrypt. Goyal et al. [8] proposed the first KP-ABE scheme, which was very expressive in that it allowed the access policies to be expressed by any monotonic formula over encrypted data. While in a CP-ABE system, when a sender encrypts a message, they specify a specific access policy in terms of access structure over attributes in the ciphertext, stating what kind of receivers will be able to decrypt the ciphertext. Users possess sets of attributes and obtain corresponding secret attribute keys from the attribute authority, such a user can decrypt a ciphertext if his/her attributes satisfy the access policy associated with the ciphertext. Bethencourt et al. [9] constructed the first CP-ABE scheme, but its security was proved in the generic group model. Later, Waters [10] pro-
posed an efficient CP-ABE scheme with expressive access policy described in general linear secret sharing scheme.
Several CB-PHR systems using ABE schemes have been developed in recent years. Ibraimi et al. [14] proposed a secure PHR management system using Bethencourt et al.'s CP-ABE scheme, which allows PHR owners to encrypt their health data according to an access policy over a set of attributes issued by two trusted authorities. Later, Li et al. [15] proposed a secure and scalable PHR sharing framework on semi-trusted storage servers under multi-owner settings by leveraging both KP-ABE and CP-ABE techniques.
1.2 Our contributions
As we all know, semantically secure against adaptive chosen-ciphertext attacks (IND-CCA) is the de facto level of security required for asymmetric encryption schemes used in practice. Access policy supported by Waters's CP-ABE scheme [10] is expressive. However, it is only proved to be semantically secure against chosen-plaintext attack (IND-CPA). Okamoto and Pointcheval [16] proposed a method named rapid enhanced-security asymmetric cryptosystems transform (REACT) for any asymmetric encryption schemes to achieve IND-CCA secure from IND-CPA secure. In this paper, we first apply REACT technique for Waters' CP-ABE scheme [10] to obtain an IND-CCA secure CP-ABE scheme in the random oracle model.
Tseng et al. [6] extended Boneh and Franklin's IBE scheme [1] to multiple recipients scenario and proposed an efficient AMRIBE scheme. To achieve IND-CCA secure, they adopted the Fujisaki-Okamoto transformation [17] for any asymmetric encryption schemes to achieve IND-CCA secure from one-way secure in the random oracle model. We note that k can play the same role as a in the Fujisaki-Okamoto transformation of Tseng et al.'s AMRIBE scheme [6]. In this paper, we further improve Tseng et al.'s AM-RIBE scheme without compromising security.
Finally, we propose a new CB-PHR system, which allows patients to securely store their health data on semi-trusted CSPs, and selectively share their health data with a wide range of users, including health care professionals like doctors and nurses, family members or friends. To reduce the key management complexity for PHR owners and PHR users, we divide the system into public domain (PUD) and personal domain (PSD). The PUD consists of users who make access based on their professional roles, such as doctors, nurses and medical researchers. The PSD consists of users who are familiar to the PHR owner, such as family members or close friends. PHR owners encrypt their health data for the PUD user using CP-ABE scheme, while they encrypt their health data for the PSD using AMRIBE scheme. Only authorized users whose credentials satisfy the specified ciphertext-policy or whose identities belong to dedicated identities can decrypt the encrypted health data, where ciphertext-policy or dedicated identities are embedded in the encrypted health data.
Privacy-preserving Cloud-based Personal Health Record System Using.
Informatica 39 (2015) 375-382 377
1.3 Paper organization
This paper is structured as follows. We review some necessary preliminary work in Section 2. Next, we describe our proposed CB-PHR system in Section 3. Then, we give security and efficiency analysis in Section 4. Finally, we conclude our paper and discuss our future work in Section 5.
2 Preliminaries
A prime order bilinear group generator G is an algorithm that takes as input a security parameter k and outputs a bilinear group (p, Gi, G2, e, g), where p is a prime of size 2K, G1 and G2 are p order cyclic groups, g is a generator of G1, and e : G1 x G1 ^ G2 is a bilinear map with the following properties:
$
-	Bilinearity: e(ga, gb) = e(g, g)ab for a, b —— Z*. Here
$
x —— S is denoted by picking an element a uniformly at random from the set S.
-	Non-degeneracy: e(g, g) is a generator of G2.
-	Computability: There is an efficient algorithm to compute e (g1,g2) for g1,g2 —— G1.
The bilinear Diffie-Hellman (BDH) assumption in a prime order bilinear group (p, G1, G2, e , g) is that if a tuple (g, ga, gb, gc) is given for unknown a, b, c —— Zp, there is no probabilistic polynomial-time (PPT) adversary A can compute e(g, g)abc with non-negligible advantage.
The decisional bilinear Diffie-Hellman (DBDH) assumption in a prime order bilinear group (p, G1, G2, e , g)
is that if a tuple (g, ga, gb, gc, T) is given for unknown
$$
a, b, c —— Zp and T —— G2, there is no PPT adversary A can decide whether T = e (g, g)abc with non-negligible advantage.
The gap bilinear Diffie-Hellman (GBDH) assumption in a prime order bilinear group (p, G1, G2, e , g) is that if a tuple (g, ga, gb, gc) is given for unknown a, b, c —— Zp, there is no PPT adversary A can compute e(g, g)abc with the help of the DBDH oracle with non-negligible advantage. The DBDH oracle means that given a tuple (g, ga, gb, gc, T), outputs 1 if T = e(g, g)abc and 0 otherwise.
The decisional q-parallel bilinear Diffie-Hellman expo-
$
nent (q-DBDHE) assumption is that if X —— G2 and y =
(g,gs,ga,...,g(aq ),g(aq+2),...,g(a2q),
gs • bj , ga/bj , . . .,g(aq/bj ), g(aq+2/bj ), . . . , g(a2q/b0 ),
ga • s • bk/bj	g(aq' s' bk/bj))
are given for unknown a, s, b1,..., bq —— Z*, where 1 < j < q, 1 < k < q and k = j, there is no PPT adversary A can decide whether X = e (g, g)aq+ls with non-negligible advantage.
Let Q = {attr1, attr2,..., attrn} be a set of attributes. A collection A C 2n is monotone if for any set of attributes n and we have that if n G A and n C $ then $ G A. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A C 2n \ {0}. The sets in A are called the authorized sets of attributes, and the sets not in A are called the unauthorized sets of attributes.
If a set of attributes w satisfies an access structure A, we denote it as A(w) = 1. In this paper, we restrict our attention to monotone access structures. As stated in [18], any monotone access structure can be represented by a linear secret sharing scheme (LSSS). A secret sharing scheme n for an access structure A over a set of attributes Q is called linear over Zp if
-	The shares for each attribute form a vector over Zp.
-	There exists a matrix Mixn called the share generating matrix for n. For all i = 1,2,..., we let the function p defined the attribute labeling row i of M^xn as p(i). When we consider the column vector
v = (s, r2,..., rn)T, where s G Zp is the secret to be
shared, and r2,
$
Zp, then a
M/Xnv is the
vector of I shares of the secret s according to n. The share «j = (Mixnv)i belongs to attribute p(i).
Beimel [18] showed that every LSSS enjoys the linear reconstruction property: Suppose that n is a LSSS for the access structure A. Let w G A be any authorized set, and define I = {i|p(i) G w} c {1,2,...,^}. If {aj} are valid shares of any secret s according to n, then there exist constants {^i} for i G I such that J2iei ai^i = s, and these constants {^i} can be found in time polynomial in the size of Mtxn. For unauthorized sets, no such constants {Pi} exist.
3 Our CB-PHR system
There are four participants involved in our CB-PHR system.
-	A trusted authority (TA), who acts as the root of trust and is responsible for generating system parameters, issuing attribute-based private keys or identity-based private keys for PHR owners and PHR users.
-	A semi-trusted CSP, who manages a cloud to provide data storage service. It is important to assume that CSP is semi-trusted, which means CSP will try to find out as much secret information in the stored health data as possible, but it will honestly follow the protocol in general.
-	Multiple PHR users, who belong to PUD or PSD. PHR users in PUD make access based on their professional roles, such as doctors, nurses, and medical researchers, while PHR users in PSD make access based
r

378 Informatica 39 (2015) 375-382
C.J.Wang et al.
on their identities, such as patients' family members or close friends.
- Multiple PHR owners (patients), who encrypt and outsource their sensitive health data to CSP. Specifically, PHR owners encrypt their health data for PUD users using improved Waters' CP-ABE scheme, while they encrypt their health data for PSD users using improved Tseng et al.'s AMRIBE scheme.
Fig.1 illustrates the system architecture and workflow of our CB-PHR system, which is explained as follows.
3.1 Setup
TA first defines the universe Q of attributes, runs G(1K) ^
(p, Gi, G2,e, g), chooses x,y —— Z*, h —— Gi for 1 < i < n. Next, TA computes h = gx and Y = e(g, g)y, picks a semantically secure symmetric encryption scheme r with key space K, encryption algorithm Enc and decryption algorithm Dec, respectively. TA then chooses a cryptographically secure message authentication code MAC : K x {0,1}* ^ Zp, three cryptographically secure hash functions: H1 : {0,1}* ^ G1, H2 : G2 ^ K and H3 : G2 ^ Z*. Finally, TA sets the master secret key msk = (x, gy}, and the system parameters mpk = (Q,p, Gi, G2,e,g, h, Y, {h*}^, {Hi}?=i, MAC, r}.
3.2 KeyGen
Given a user's identity ID, and a set w C Q of attributes
$
belonging to the user, TA chooses z —— Z*, computes gID = Hi(ID), Did = gfD, K = gxzgy, L = gz, K = h? for all attri G w. TA then sets user's private key skIDj^ = (Did, K, L, {Ki}attriew}, and sends skIDjl^ to the user via a secure channel.
Note: If a user requests identity-based private key corresponding to an identity ID, then TA only needs to compute skID = Did. If a user requests attribute-based private key corresponding to a set w of attribute, then TA only needs to compute sk^ = (K, L, {KJattr.e^}.
3.	Choose k2 —— K, compute E2 = Enc(k2, m), gIDi = Hi(IDi) and vi = ^(¿(giD., h)s) for ID< G IDr.
4.	Construct the polynomial f (x) = n*=i(x - vi) + k2 = c0 + cix + • • • + ci_ixi-i + x4 mod p, compute A2 = MAC(k2, m, E2, C', co, ci,..., ct_i).
5. Set
the
ciphertext
CT
(C', Ci, {Ci, Di}f=i, {Ci}ici, Ei, E2, Ai, A2}.
6. Finally, PHR owner uploads the ciphertext to CSP along with a description of access policy (Mixn, p) and a set of identities of designated recipients IDR.
Note: If a PHR owner wants to share his/her health data with PHR users from the PUD, then the PHR owner only needs to perform step 1 and step 2. If a PHR owner wants to share his/her health data with PHR users from the PSD, then the PHR owner only needs to perform step 3, step 4 and compute C' = gs.
3.4 Decrypt
Given a ciphertext CT along with a description of access policy A = (M£Xn, p) and a set IDR of identities, a PHR user performs different steps depending on whether the PHR user is from the PUD or from the PSD.
- If the PHR user is from the PUD, and he owns credentials corresponding to a set w of attributes such that A(w) = 1, then the PHR user computes
U = C1 •
niei(ê(Ci,L)ê(Di,Kp(f
e(C ) ki = H2(t/ ) m = Dec(k1 ,E1)
A1 = MAC(k1,mk,E1 ,C',C1, {Cj, Dj}f=1)
where p(i), $ and I are defined in Section 2. Finally, PHR user tests whether A1 = A1 or not. If it holds, PHR user accepts the message m = m and outputs ± otherwise.
3.3 Encrypt
Given an original health data m to be encrypted, a LSSS access structure A = (M^Xn,p) and a list of identities
steps.
IDr = {!Dj}t=1, PHR owner performs the following
1.	Choose s Z*, u1,..., un, r1;..., re ^ Zp, U G2, and set u = (s, u2,..., un)T.
2.	Compute k1 = H2(U), E1 = Enc(k1,m), C'	= gs, C1 = U • ê(g,g)sy, ai = (M|X„u)j, Ci	= gxa h-(r), and Di = gri for 1 < i < e, A1	= MAC(kc1, m, E1, C', C1, C1, D1,..., C£, D£).
If the PHR user is from the PSD, and his identity IDj belongs to the set IDR of identities of designated recipients, then the PHR user computes
$ = H2(e(D|Di ,C')) $2 = f (Vi)
-1_ 1 -1
= co + ciVi + ... + Q-iVj + Vi modp m = Dec(k2,E2),
A2
MAC(k2, m ,E2,C ',co ,c1 ,...,ct_1)
Finally, PHR user tests whether A2 = A2 or not. If it holds, PHR user accepts the message m = m and outputs ± otherwise.
Privacy-preserving Cloud-based Personal Health Record System Using.
Informatica 39 (2015) 375-382 379
			
Identities ©)			Identities <
			
			
3. Encrypt
TA
l.Setup
4, Decrypt
2, KeyGen
Access Structure
	
Identities <§+)	
	

Users
Figure 1: Architecture and workflow of our CB-PHR system.
4 Security proofs and efficiency analysis
Theorem 1. Our CB-PHR system is correct. Proof. The correctness can be verified as follows.
e(C' ,K)
This completes the proof.
n<€i (ê(Ci ,L)ê(A ))ßi
e(gs ,gxzgy)
EUi [ê(gxai h_S ,gz )ê(gn ,hp(i))]ßi
e(g,g)sye(g,g)sxz _ ê(g,g)syê(g,g)s
nieI e(g, g)xzaißi ê(g, g)xz E^iaß = e(g,g)sy ê(g,g)sxz =
e(g,g)sxz	(g,g)
H (ê(DiDi ,C ')) = H2(ê(grDî ,gs)) = H(ê(giDi, h)s) = Vi
f (x) = Co + CiX +— ■ + ct_ixi_1 + Xt t
= IT(x — Vi) + k2 mod p
i=1
= (x — vi)F(x) + k2 mod p ^ f (Vi) = Co + CiVi + ... + ct_ivt-1 + vt = (vi — Vi)F(vi) + k2 mod p = k2
□
Theorem 2. Our CB-PHR system satisfies receiver anonymity in the random oracle model under the GBDH assumption.
Proof. PHR owners encrypt their health data for receivers in the PUD using an improved Waters's CP-ABE scheme, where REACT technique [16] is applied to achieve IND-CCA secure. Intended receivers are specified through attributes owned by receivers instead of receivers' identities, and these attributes are potentially able to be shared by unlimited number of PHR users. Thus receiver anonymity is satisfied for PHR users in the PUD.
PHR owners encrypt their health data for PHR users in the PSD using an improved Tseng et al.'s AMRIBE scheme [6]. We improved Tseng et al.'s AMRIBE scheme [6] without compromising security by removing a and related operations, because k plays the same role as a in the Fujisaki-Okamoto transformation of Tseng et al.'s AMRIBE scheme [6]. Tseng et al.'s AMRIBE scheme is proved to satisfy receiver anonymity in the random oracle model under the GBDH assumption, thus receiver anonymity is satisfied for PHR users in the PSD.	□
380 Informatica 39 (2015) 375-382
C.J.Wang et al.
Table 1: Efficiency analysis of our CB-PHR system
	Private key size	Encrypt cost	Decrypt cost
PHR Owner	X	NRtp + (2£ + 1 )tm + te + 2tE + NrÍH	X
A PUD User	(Na + 2)|GI|	X	(2 + Ni)tp + Nite + tD
A PSD User	|Gi|	X	tp + tD
Theorem 3. Our CB-PHR system is IND-CCA secure in the selective model under the q-DBDHE assumption and GBDH assumption.
Proof. PHR owners encrypt their health data for PHR users in the PUD using our improved IND-CCA secure CP-ABE scheme, which is obtained by applying REACT transformation for Waters' CP-ABE scheme [10]. Waters' CP-ABE scheme is proved to be IND-CPA secure in the selective model under the q-DBDHE assumption, and REACT transformation is a generic method for any asymmetric encryption schemes to achieve IND-CCA secure from IND-CPA secure, thus our improved CP-ABE scheme is IND-CCA secure in the selective model under the q-DBDHE assumption. For detailed proofs, we recommend you refer to [10] and [16].
PHR owners encrypt their health data in the PSD using our improved Tseng et al.'s AMRIBE scheme. We improved Tseng et al.'s AMRIBE scheme [6] without compromising security by removing a and related operations, because k plays the same role as a in the Fujisaki-Okamoto transformation of Tseng et al.'s AMRIBE scheme [6]. Tseng et al.'s AMRIBE scheme is proved to be IND-CCA secure in the selective model under the GBDH assumption, thus our improved AMRIBE scheme is IND-CCA secure in the selective model under the GBDH assumption. For detailed proofs, we recommend you refer to [6].
In summary, our CB-PHR system is IND-CCA secure in the selective model under the q-DBDHE assumption and GBDH assumption.	□
Table 1 shows the computational cost of each participant in our CB-PHR system. Denote by tp, tm, te, tH, tE, tD, the computation cost of a bilinear pairing in (Gi, G2), a multiplication in G1, an exponentiation in G2, a map-to-point hash function H1, an encryption and a decryption in r, respectively. Other operations are omitted in the following analysis since their computation cost is trivial. Denote by NR, Na, Ni, |m|, |G1| and |Z*| the number of receivers in the PSD, the number of attributes owned by a user in the PUD, the number of attributes in the set I, the bit-length of a plaintext, an element in group G1, and an element in group Z*, respectively.
In order to evaluate the performance of our CB-PHR system, we implement the corresponding algorithms in our CB-PHR system based on Charm Crypto Framework (version 0.42) [19] and pairing-based crypto (PBC) library [22]. Figure 2 shows the performance of our CB-PHR sys-
tem, where times are measured in seconds (averaged over 30 iterations) and were computed on an Intel processor with 2GB RAM and hosted on 2.40GHz.
We test on SS512-type elliptic curves with symmetric bilinear pairings, 512 bytes plaintext, AES-256 symmetric encryption algorithm, and the number of attributes and identities are chosen from 5 to 30 and from 5 to 15, respectively. Figure 2(a) illustrates the relationship between the running time for attribute-based private key generation and the number of attributes. Figure 2(b) illustrates the relationship between the running time for encryption and the number of attributes, where we fix the number of receivers 15. Figure 2(c) illustrates the relationship between the running time for decryption for a PHR user in the PUD and the number of attributes. Figure 2(d) illustrates the relationship between the running time for decryption for a user in the PSD and the number of designated receivers.
5 Conclusion
In this paper, we propose a novel patient-centric framework for secure sharing of personal health records in cloud computing. It allows patients to securely store their health data on the semi-trusted cloud service providers, and to selectively share their health data with a wide range of users, including health care professionals such as doctors and nurses, family members or friends. To reduce the key management complexity for patients and users, we divide the users into public domain and personal domain. Different from existing cloud-based personal health record system, patients encrypt their health data for the public domain using ciphertext-policy attribute-based encryption scheme, and encrypt their health data for the personal domain using anonymous multi-receiver identity-based encryption scheme in our cloud-based personal health record system. Extensive analytical and experimental results show that our cloud-based personal health record system is secure, privacy-protected, scalable and efficient. In future work we will design cloud-based personal health record system supporting efficient data utilization services, such as data retrieval and data statistics.
Acknowledgement
This paper is jointly supported by the National Natural Science Foundation of China (Grant No. 61173189), the
Privacy-preserving Cloud-based Personal Health Record System Using.
Informatica 39 (2015) 375-382 381
(c) Decrypt time for PUD users	(d) Decrypt time for PSD users
Figure 2: Performance test of CB-PHR system.
Foundation for Innovative Research Team of Yunnan University, Guangdong Province Information Security Key Laboratory Project, Yunnan Province Software Engineering Key Laboratory Project (Grant No. 2015SE203).
References
[1]	D. Boneh and M. Franklin (2001) Identity-based encryption from the Weil pairing, CRYPTO 2001, LNCS 2139, Springer Berlin Heidelberg, pp. 213-229.
[2]	J. Baek, R. Safavi-Naini and W. Susilo (2005) Efficient Multi-receiver Identity-Based Encryption and Its Application to Broadcast Encryption, PKC 2005, LNCS 3386, Springer Berlin Heidelberg, pp.380397.
[3]	X. Boyen and B. Waters (2006) Anonymous hierarchical identity-based encryption (without random oracles), CRYPTO 2006, LNCS 4117, Springer Berlin Heidelberg, pp. 290-307.
[4]	C.I. Fan, L.Y. Huang and P.H. Ho (2010) Anonymous multireceiver identity-based encryption, IEEE Transactions on Computers, Vol. 59, No. 9, pp. 1239-1249.
[5]	H.Y. Chien (2012) Improved anonymous multi-receiver identity-based encryption, The Computer Journal, Vol. 55, No. 4, pp. 439-445.
[6]	Y.M. Tseng, Y.H. Huang and H.J. Chang (2012) CCA-secure anonymous multi-receiver ID-based encryption, 26th International Conference on Advanced Information Networking and Applications Workshops, IEEE, pp. 177-182.
[7]	A. Sahai and b. Waters (2005) Fuzzy identity-based encryption, EUROCRYPT 2005, LNCS 3494, Springer Berlin Heidelberg, pp. 457-473.
[8]	V. Goyal, O. Pandey, A. Sahai and B. Waters (2006) Attribute-based encryption for fine-grained access control of encrypted data, CCS 2006, ACM, New York, pp. 89-98.
[9]	J. Bethencourt, A. Sahai and B. Waters (2007) Ciphertext-policy attribute-based encryption, IEEE Symposium on Security and Privacy, IEEE, pp. 321334.
[10] B. Waters (2011) Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization, PKC 2011, LNCS 6571, Springer Berlin Heidelberg, pp. 53-70.
382 Informatica 39 (2015) 375-382
C.J.Wang et al.
[11]	J. Li, Q. Wang, C. Wang and R. Kui (2011) Enhancing attribute-based encryption with attribute hierarchy, Mobile Network Application, Vol. 16, No. 5, pp. 553-561.
[12]	C.J. Wang and J.F. Luo (2013) An efficient key-policy attribute-based encryption scheme with constant ci-phertext length, Mathematical Problems in Engineering, Hindawi, Vol. 2013, pp. 1-7.
[13]	J. Li, X.Y. Huang, J.W. Li, X.F. Chen and Y. Xiang (2014) Securely outsourcing attribute-based encryption with checkability, IEEE Transactions on Parallel and Distributed Systems, Vol. 25, No. 8, pp. 22012210.
[14]	L. Ibraimi, M. Asim and M. Petkovic (2009) Secure management of personal health records by applying attribute-based encryption, 6th International Workshop on Wearable Micro and Nano Technologies for Personalized Health (pHealth), IEEE, pp. 71-74.
[15]	M. Li, S.C. Yu, Y. Zheng, K. Ren and W.J. Lou (2013) Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption, IEEE Transactions on Parallel and Distributed Systems, Vol. 24, No. 1, pp. 131-143.
[16]	T. Okamoto and D. Pointcheval (2001) REACT: rapid enhanced-security asymmetric cryptosystem transform, CT-RSA 2001, LNCS 2020, Springer Berlin Heidelberg, pp. 159-174.
[17]	E. Fujisaki and T. Okamoto (2011) Secure integration of asymmetric and symmetric encryption schemes, Journal of Cryptology, Vol. 26, No. 1, pp. 80-101.
[18]	A. Beimel (1996) Secure schemes for secret sharing and key distribution, PhD Thesis, Israel Institute of Technology, Technion, Haifa, Israel.
[19]	J.A. Akinyele, et al. (2013) Charm: a framework for rapidly prototyping cryptosystems, Journal of Cryptographic Engineering, Vol. 3, No. 2, pp. 111-128.
[20]	M. Green and J.A. Akinyele (2014) The functional encryption library, Online, accessed 18-July-2014,
http://code.google.com/p/libfenc/.
[21]	E. Young and T. Hudson (2014) The openssl project, Online, accessed 18-July-2014, http:// www.openssl.org/.
[22]	B.Lynn (2014) The pairing-based cryptography library, Online, accessed 18-July-2014, http:// crypto.stanford.edu/pbc/.